During May 2024, ESET Research uncovered a series of widespread phishing campaigns in Poland, Romania, and Italy, predominantly targeting small and medium-sized businesses (SMBs). The attackers behind these campaigns utilized ModiLoader as the primary delivery mechanism to distribute various malware families, including Rescoms, Agent Tesla, and Formbook.
In the midst of ongoing phishing attacks that persisted throughout the first half of 2024, ESET researchers identified nine significant ModiLoader phishing campaigns in the aforementioned countries. The majority of these campaigns, totaling seven, were focused on Poland, where ESET products safeguarded over 21,000 users. In total, more than 26,000 users were protected by ESET products during this period, with the majority being in Poland, followed by Italy and Romania.
Unlike the phishing campaigns observed in late 2023, which relied on AceCryptor for malware delivery, the attackers in the May 2024 campaigns shifted towards utilizing ModiLoader. This change in tactics allowed the malicious actors to successfully distribute Rescoms, Agent Tesla, and Formbook malware to unsuspecting victims within targeted organizations.
The phishing emails sent as part of these campaigns often masqueraded as legitimate business inquiries or requests for quotations. By impersonating existing companies and employees, the attackers aimed to increase the credibility of their messages and increase the chances of victims opening the malicious attachments. These attachments, disguised as ISO files or archives, contained the ModiLoader executable that would begin the process of downloading and launching the final payload on the victim’s machine.
Once executed, ModiLoader effectively served as a delivery mechanism for various malware families, each capable of stealing sensitive information and providing remote access to the attackers. The attackers strategically used compromised email accounts and company servers not only to distribute malicious emails but also to host malware and gather stolen data for exfiltration.
In some instances, the stolen data was exfiltrated through SMTP to a domain similar to that of a legitimate company, showcasing the use of typosquatting techniques to evade detection. Furthermore, data was also observed being sent to a web server belonging to a guest house in Romania, indicating the exploitation of compromised infrastructure for malicious activities.
The relentless nature of these phishing campaigns targeting SMBs in Central and Eastern Europe underscores the necessity for organizations to remain vigilant against such threats. ESET Research’s continuous monitoring and detection of these malicious activities highlight the importance of robust cybersecurity measures to mitigate the risks posed by sophisticated attacks.
As attackers adapt their tactics and switch between different malware families for increased effectiveness, organizations must prioritize cybersecurity awareness, employee training, and the implementation of advanced threat detection and response solutions to defend against evolving threats. By staying informed and proactive, businesses can strengthen their defenses and reduce the likelihood of falling victim to phishing campaigns and malware infections.